Skillset

Last week, the New York Times scooped a story that the Obama administration “intensely debated” plans to use cyber warfare as part of the March 2011 military intervention in Libya and in the May 2011 operation in Pakistan that led to the death of Osama Bin Laden. The tactics under consideration were completely military in scope – both planned cyber missions involved disrupting radar communications through military networks, ie not disabling power or other services that would have affected civilians. Still, the act of openly deploying cyber tactics in a war theater is a bold step that has yet to be taken, despite the fact that many nation states already openly possess a structured cyber military command.

The Pentagon was actually in the middle of the pack when it merged the JTF-GNO and 24th Air Force with other DoD components to form US Cyber Command at the turn of the fiscal year on October 1, 2010, after Russia, Israel, Iran, and North Korea had already formed similar commands in their militaries. In June 2011, the Pentagon released details of its cyber warfare strategy, which cited that it considered cyber an operational domain – akin to sea, air, land, and space as a place where war is fought and where defensive and offensive posturing and operations are required.

While there have already been subversive and unclaimed cases of nation state backed cyber operations (most notably the Stuxnet worm and the Comodo and DigiNotar hacks), no country has yet to openly utilize cyber warfare in battle scenarios such as the ones considered by the Pentagon in the Libya and Pakistan missions. The Pentagon decided to refrain from breaking this seal just yet, likely because the geopolitical ramifications of such a move are still largely unknown.

Expanding the concept of warfare to include cyber operations is dicey business, and work on the legal and political front can make the actual hacking involved seem like the easy part. The few precedents that exist on the topic of new forms of warfare involve tactics with highly negative connotations (like nuclear, biological, and chemical weapons). Aside from the 100 year old Hague Conventions, there is no single governing body or document that sets the standards or rules of engagement for international warfare. Still, nations have already clocked years carefully issuing statements and declarations, filing briefs with international courts, and working press and political machines to further their cyber agenda.

In response to the Times story, the Pentagon has been gracefully explaining how the debated cyber strikes against enemy radar systems are not offense plays but rather an ‘active defense’ tactic, akin to jamming radar through more conventional means.

The Pentagon makes a compelling argument. One must weigh how different the proposed cyber strikes would be compared to the widely accepted use of radar jamming technology like the EF-111A Raven jet, which served as an unarmed electronic warfare platform from 1983 until 1995 and was deployed in the 1986 strikes against Libya ordered by President Reagan. The planned cyber operation, very likely against the exact same radar installations as in 1986, achieves the same effect – a temporary loss of readout on a command center’s radar screen – only without the risk and expense of sending a pilot and jet into the war zone. It also avoids the alternative option of delivering a radar-seeking AMG-88 HARM missile to the installation, destroying both the facility and the people inside.

This is endemic of what the Pentagon and White House face when deciding to pull the trigger on a cyber weapon. Deploying cyber tactics can and will conserve significant costs and, more importantly, save lives and protect soldiers. Adversaries however, will see the gates of cyber warfare being thrown open and could use that narrow fact as license to openly attack military and civilian infrastructure at will.

It is no secret that the most sensitive cyber target in North America is the fragile and interdependent electrical grid that provides power to the entire Eastern Seaboard. In utility terms this stretches from Toronto, Canada to Charlotte, NC – while a similar vulnerable grid region exists on the west coast, running from Southern California to Phoenix, AZ. CBS reported in 2010 that a highly plausible cyber attack on either infrastructure would create a cascading effect that could black out the region for months, devastate the civilian population, grind the national economy to a halt, and leave the continent highly vulnerable to invasion.

The report also cited two events in Brazil where hackers succeeded in causing massive blackouts in major cities that lasted for days, and displayed shocking video footage from a US government test at Sandia National Laboratories where SCADA controllers for a 10,000 watt power generator were hacked into by a penetration testing team and rigged the generator to destroy itself. The video shows the generator billowing black and white smoke after an implosion that lifted the entire platform inches off the ground.

The speed with which development of cyber warfare capability has emerged is certainly impressive, and demonstrates the ease of entry into the game. Unlike nuclear technology, cyber capabilities aren’t constrained by the need for rare earth materials, time-consuming enrichment, expensive development processes, or advanced science techniques. For better or worse, information technology always lives up to its promise of taking previously impossible tasks and making them incredibly easy to accomplish on an immensely fast timeframe.

The five capabilities of Information Operations and the three activities of Computer Network Operations
Source: United States Joint Chiefs of Staff Publication 3-13

Practitioners of Computer Network Attack (CNA) can be successful using simple ingenuity instead of high technology. Computing power can be harnessed via botnets or cloud environments instead of purchased and assembled in expensive (and traceable) datacenters. Inversely, access to compromised systems on sensitive networks can be quickly purchased or traded via online black markets. Entire exploit techniques, advancements, and even specific exploit code can be borrowed, stolen, or plagiarized online and quickly put to use before discovery and remediation efforts take place by practitioners of Computer Network Defense (CND).

Isreal and Iran appear to be already covertly engaged in the deep chess game of Computer Network Exploitation (CNE), defined by technical gurus and war colleges alike as the practice of gathering and sustaining cyber attack readiness. The exchange is demonstrative of how cyber assets are much more fluid than tangible weaponry, and how even entire capabilities can be lost as quickly as they are gained, without warning. This flies in the face of war strategies and tactics that have persevered for literally thousands of years, and to many seasoned practitioners of traditional warfare, cyber CNE is akin to playing chess on a three dimensional board with no rules, where fortunes can drastically change in an instant.

The emergence of cyber warfare is without a doubt the most drastic game changer the world has seen since the atomic bomb devastatingly went public over 65 years ago. The cyber era that secretly began in the last decade is now publicly upon us, and will undoubtedly progress from covert cyber operations to open battle tactics and onward to the very plausible, some say inevitable, cyber-induced large scale catastrophe.

The ease of entry and immensely destructive potential of cyber attacks has ushered in the reality of cyber proliferation, as many nations are very carefully posturing their cyber warfare policies while the covert undercurrent of cyber asset possession and loss is already churning. The Cold War era will prove to be a great practice run, as the future will undoubtedly see the concepts and controversies of nuclear proliferation applied to the geopolitical issues surrounding the cyber warfare ‘question’.

Further complicating matters is the fact that nation state backing is not required to engage in devastating cyber warfare tactics. Rogue groups or even individuals can play in this space as well, leaving the door open for small, radical entities to inflict large scale damage.

If left unchecked, the cyber threat can become the proverbial Achilles Heel of any nation – this one fact drives the origin and persistence of cyber proliferation, and will continue doing so for decades to come.

Len Marzigliano is an Information Assurance Manager with defense contractor BAM Technologies in Arlington, Virginia and a researcher for InfoSec Institute. With over 20 years experience as an IT contractor and consultant, Len has worked with hundreds of organizations and project teams in commercial, civilian federal, and defense environments worldwide.

His certifications include (ISC)2 CISSP, NSA IAM/IEM, and EXIN ITIL. Len’s information security blog can be found at http://www.zigthis.com.

2 responses to “The Pandora’s Box of Cyber Warfare”

I was in a (network security) class recently and one of the other students was an ex-Army Ranger who was now working Information Assurance (network security) at a company stateside. Ranger-x liked to brag about how secure his network was both at work and at home.

One day the Professor was giving a virtual field-trip and Demo. All but 2 students were amazed at the demo that showed their vulnerabilities. I had seen the demo several years before (and yeah I had some exposure.) and Ranger-x who could not hit the internet in time for the demo. His system was secure but not capable of doing anything, ie; useless.

Moral of the story: There is an inherent level of risk involved in any system that is connected and turned on. Only disconnected systems or those turned off are 100% secure, and that is useless to people, or business or government. Being aware of the dangers and guarding against the most common and/or most dangerous is the best you can do. Create a DMZ, isolate your critical systems, and install IDS and IPS but you still have to be able to work.

Excellent point Charles – and I believe the true tenets of information security do address this:

Of the six security elements in the Parkerian Hexad (Confidentiality, Integrity, Availability, Posession, Authenticity, and Utility), two of them (Avalibility and Utility) address the accessibility and usefulness of the data/system. Proper security practices dictate that these must be upheld just as much as the other four.

Sure, closing off port 80 and 25 would certainly work wonders to protect Ranger-x, but the resultant loss of functionality should cause the tenets of Availability and Utility to blink red and compel him to bring things back into balance – a more granular firewall policy perhaps.

When Utility is overlooked, issues like you describe with Ranger-x can and will occur. This is one of the many reasons why I prefer applying the Parkerian Hexad whenever possible, instead of relying on the more pedestrian C-I-A triad currently taught in certification programs and universities alike.

Your statement about the ‘inherent risk’ of powering up any system is true – and the practice of Information Security Risk Management (ISCM) as defined in NIST SP800-137 exists to address this.

While universally agreed that the goal of total 100% security is unattainable, any enterprise should nonetheless strive for it, while remembering the balance of what constitutes ‘security’ in the first place.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

+ =

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam